J.H.M. Dassen reported that the open-in-browser command does not properly escape shell metacharacters in the URL before passing it to system().

Impact

A remote attacker could entice a user to open a feed with specially crafted URLs, possibly resulting in the remote execution of arbitrary shell commands with the privileges of the user running the application.